IBM bans the use of removable storage by employees

[Greg S]

IBM has implemented a complete ban on the use of removable storage devices to prevent the accidental spread of malware and theft of data.

Curiosity is one aspect of human nature that is difficult to suppress all in the name of corporate security. There have been numerous cases in the past where flash drives are picked up outside and then plugged in to corporate computers that are then infected.

Back in 2010, Avast put out a warning that the majority of malware in existence is capable of being spread by USB drives. Since then, developers of malicious software have only gotten more creative about how to hide their payloads on removable devices.

IBM has already banned the use of removable storage devices in certain divisions where security is tight, but is now expanding the policy globally. Instead of using removable storage, employees are being directed to use a file sync 'n' share service for sending and receiving data.

Management is reportedly aware that the new policy could be "disruptive for some," but believes that the minor inconveniences far outweigh "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimized."

Even with AutoRun features disabled, USB devices can still be disguised as flash drives but appear as human input devices such as mice and keyboards. Using a microcontroller embedded in a specially crafted USB stick, keystrokes and mouse clicks can be automatically sent to any machine where USB ports are enabled.

Human input devices do not require any special authorization to begin functioning on modern operating systems. This is a known vulnerability, but with no obvious solution available. If actions are required to enable a mouse and keyboard, how would that be done if there is no way to input a choice?

Permalink to story.

https://www.techspot.com/news/74561-ibm-bans-use-removable-storage-employees.html

 

[DelJo63]

Interesting, seeing that the ubiquitous USB device represents the same risk as the original floppy drives.

There have been multiple solutions for USB Management for several years, primarily targeted at the security risk of data "walking out the door". The total solution must take control of all USB ports and control whether the device gets mounted to stop the infection threat; Autorun is too late. Some notable products are:

• https://www.solarwinds.com/topics/usb-security-analyzer
• https://www.endpointprotector.com/solutions/device-control

 

[Capaill]

I guess phones with cameras are banned too? Or phones with USB access. Or phones with voice recording features. Or phones with access to your company email.

 

[Dave92F1]

"If actions are required to enable a mouse and keyboard, how would that be done if there is no way to input a choice?"

Easy - when a USB HID (mouse, keyboard, etc.) is plugged in, the system should pop up a window:

USB KEYBOARD DETECTED. If this is NOT as expected, your system MAY BE VULNERABLE to attack by this device. IF SO, *** REMOVE THE USB DEVICE NOW ***.

Then wait 15 seconds before enabling the device.

 

[thelatestmodel]

Honestly I think this is going too far. As every commenter on The Register pointed out, this won't do ANYTHING to prevent data "walking out the door". If someone wants to steal data they can still do so, easily, without the use of USB. Multiple workarounds exist.

You need removable storage. This is just annoying corporate bullshit, written by suits who aren't in the field.

 

[pmshah]

I am talking about turn of the century 1998 when my daughter was working as admin with UBS in New York. They had one exclusive secure room for the purpose of creating / reading portable data , CD, DVD Pen drive. There was zero availability of this facility at workstations. In fact I have raised this very point in a number of fora. Why can't manufacturers provide motherboards that simply do not have on board USB ports for the operators to plug in ? There were times when these had to be on rear panel with cables that had to be plugged into the headers on the motherboard! Asus has an on board jumper which if removed disconnects ALL rear panel on-board USB sockets. They also have provision for securing the cabinet against unauthorised access.

Why is every one waking up so late? May be it is the American way. Never deal with the root of the problem. Like why allow burner phones or hiding the caller ID ? We do know that it is used mostly by terrorists, gang members, mafia and other illegal activists and unsavoury characters. But no. Spend millions in monitoring and tracing effort but never in prevention!

 

[pmshah]

"If actions are required to enable a mouse and keyboard, how would that be done if there is no way to input a choice?"

Easy - when a USB HID (mouse, keyboard, etc.) is plugged in, the system should pop up a window:

USB KEYBOARD DETECTED. If this is NOT as expected, your system MAY BE VULNERABLE to attack by this device. IF SO, *** REMOVE THE USB DEVICE NOW ***.

Then wait 15 seconds before enabling the device.

FYI I have been using Asus motherboards for past 15 years. They still have PS2 sockets for KB and mouse. Believe me if there is a demand for such items, manufacturers will make them available. I am planning to upgrade my system to 8th gen i5 and even the latest compatible motherboard with latest Intel chipset has these PS2 ports. You MOST certainly do not need portable data access.

 

[pmshah]

I guess phones with cameras are banned too? Or phones with USB access. Or phones with voice recording features. Or phones with access to your company email.

I have seen call centers in Mumbai where you DO have to deposit all your electronic stuff at the main gate.

 

[wiyosaya]

Never deal with the root of the problem. Like why allow burner phones or hiding the caller ID ? We do know that it is used mostly by terrorists, gang members, mafia and other illegal activists and unsavoury characters. But no. Spend millions in monitoring and tracing effort but never in prevention!

Even if there is a law in place to prevent such actions, people break laws all the time. I suspect that there are those in your country that also break the law all the time, too, so even though you might not like it, you have no high road or high path here.

While I would love to live in a world where people always act honorably and respectfully to all other fellow human beings, it simply does not exist at this point, and, unfortunately, to change that requires more than just a law making hiding caller ID illegal. It may sound simple, but the problem is systemic. The system is, as I see it, a modern version of feudalism and until that changes, some people will always be out to capture as much of the gold as they can get no matter who they hurt in the process.

 

[wiyosaya]

I guess phones with cameras are banned too? Or phones with USB access. Or phones with voice recording features. Or phones with access to your company email.

I have seen call centers in Mumbai where you DO have to deposit all your electronic stuff at the main gate.

And this is not unheard of in many companies these days. I have a friend who works in a company where copying anything to a removable drive is allowed by only a few select employees. As I see it, it is a smart policy in a world where mal-whatever could be spread by someone even without their knowledge.

 

[pmshah]

That exactly is my point. Here in India there is no such thing as a burner phone. That kind of service is just not available. There is no way I can hide my caller ID being sent to the recipient. The Telcos are required by law to display it. They can lose their license and be penalised if they don't comply. It is NOT in the hands of the user. Such a feature in the instrument OS itself simply does not work. The caller ID will show up on the recipient's phone soon as it rings. We also are big time users of Truecaller application. It will identify the caller and display more of his / her details. Just because a caller may have the right to hide his number I have the right to know who is calling based on which I may or may not want to answer the call.

 

[pmshah]

And this is not unheard of in many companies these days. I have a friend who works in a company where copying anything to a removable drive is allowed by only a few select employees. As I see it, it is a smart policy in a world where mal-whatever could be spread by someone even without their knowledge.

Maybe it is time to go back to PS2 KB+Mouse and eliminate USB altogether in these environments.

 

[captaincranky]

"If actions are required to enable a mouse and keyboard, how would that be done if there is no way to input a choice?"

Easy - when a USB HID (mouse, keyboard, etc.) is plugged in, the system should pop up a window:

USB KEYBOARD DETECTED. If this is NOT as expected, your system MAY BE VULNERABLE to attack by this device. IF SO, *** REMOVE THE USB DEVICE NOW ***.

Then wait 15 seconds before enabling the device.

What exactly is this supposed to accomplish? Do you think an attacker wouldn't wait 15 seconds before breeching the machine?

 

[pmshah]

What exactly is this supposed to accomplish? Do you think an attacker wouldn't wait 15 seconds before breeching the machine?

I guess the USB drivers would need to be made starter such that they can differentiate and NOT activate mass storage devices. Newer is not necessarily better. I have had more problems with SATA connectors, both power and data. Have had more problems with USB KB & Mice. How absurdly stupid of the system bios to throw up a message like "Keyboard not detected. Press F1 for settings ". I can still use USB mouse on a PS2 port by using an adapter. How do I manage keyboards?